152 lines
3.6 KiB
YAML
152 lines
3.6 KiB
YAML
---
|
|
- name: ssl-cert package is installed
|
|
ansible.builtin.apt:
|
|
name: ssl-cert
|
|
state: present
|
|
tags:
|
|
- haproxy
|
|
- packages
|
|
|
|
- name: HAProxy SSL directory is present
|
|
ansible.builtin.file:
|
|
path: /etc/haproxy/ssl
|
|
owner: root
|
|
group: root
|
|
mode: "0700"
|
|
state: directory
|
|
tags:
|
|
- haproxy
|
|
- ssl
|
|
|
|
- name: Self-signed certificate is present in HAProxy ssl directory
|
|
ansible.builtin.shell:
|
|
cmd: "cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key > /etc/haproxy/ssl/ssl-cert-snakeoil.pem"
|
|
args:
|
|
creates: /etc/haproxy/ssl/ssl-cert-snakeoil.pem
|
|
notify: reload haproxy
|
|
tags:
|
|
- haproxy
|
|
- ssl
|
|
|
|
- name: HAProxy stats_access_ips are present
|
|
ansible.builtin.blockinfile:
|
|
dest: /etc/haproxy/stats_access_ips
|
|
create: yes
|
|
block: |
|
|
{% for ip in haproxy_stats_access_ips | default([]) %}
|
|
{{ ip }}
|
|
{% endfor %}
|
|
notify: reload haproxy
|
|
tags:
|
|
- haproxy
|
|
- config
|
|
- update-config
|
|
|
|
- name: HAProxy stats_admin_ips are present
|
|
ansible.builtin.blockinfile:
|
|
dest: /etc/haproxy/stats_admin_ips
|
|
create: yes
|
|
block: |
|
|
{% for ip in haproxy_stats_admin_ips | default([]) %}
|
|
{{ ip }}
|
|
{% endfor %}
|
|
notify: reload haproxy
|
|
tags:
|
|
- haproxy
|
|
- config
|
|
- update-config
|
|
|
|
- name: HAProxy maintenance_ips are present
|
|
ansible.builtin.blockinfile:
|
|
dest: /etc/haproxy/maintenance_ips
|
|
create: yes
|
|
block: |
|
|
{% for ip in haproxy_maintenance_ips | default([]) %}
|
|
{{ ip }}
|
|
{% endfor %}
|
|
notify: reload haproxy
|
|
tags:
|
|
- haproxy
|
|
- config
|
|
- update-config
|
|
|
|
- name: HAProxy deny_ips are present
|
|
ansible.builtin.blockinfile:
|
|
dest: /etc/haproxy/deny_ips
|
|
create: yes
|
|
block: |
|
|
{% for ip in haproxy_deny_ips | default([]) %}
|
|
{{ ip }}
|
|
{% endfor %}
|
|
notify: reload haproxy
|
|
tags:
|
|
- haproxy
|
|
- config
|
|
- update-config
|
|
|
|
- ansible.builtin.include: packages_backports.yml
|
|
when: haproxy_backports | bool
|
|
|
|
- name: Install HAProxy package
|
|
ansible.builtin.apt:
|
|
name: haproxy
|
|
state: present
|
|
tags:
|
|
- haproxy
|
|
- packages
|
|
|
|
- name: Copy HAProxy configuration
|
|
ansible.builtin.template:
|
|
src: "{{ item }}"
|
|
dest: /etc/haproxy/haproxy.cfg
|
|
force: "{{ haproxy_force_config }}"
|
|
validate: "haproxy -c -f %s"
|
|
loop: "{{ query('first_found', templates) }}"
|
|
vars:
|
|
templates:
|
|
- "templates/haproxy/haproxy.{{ inventory_hostname }}.cfg.j2"
|
|
- "templates/haproxy/haproxy.{{ host_group | default('all') }}.cfg.j2"
|
|
- "templates/haproxy/haproxy.default.cfg.j2"
|
|
- "templates/haproxy.default.cfg.j2"
|
|
notify: reload haproxy
|
|
when: haproxy_update_config | bool
|
|
tags:
|
|
- haproxy
|
|
- config
|
|
- update-config
|
|
|
|
- name: Rotate logs with dateext
|
|
ansible.builtin.lineinfile:
|
|
dest: /etc/logrotate.d/haproxy
|
|
line: ' dateext'
|
|
regexp: '^\s*#*\s*(no)?dateext'
|
|
insertbefore: '}'
|
|
tags:
|
|
- haproxy
|
|
- logrotate
|
|
|
|
- name: Rotate logs with nodelaycompress
|
|
ansible.builtin.lineinfile:
|
|
dest: /etc/logrotate.d/haproxy
|
|
line: ' nodelaycompress'
|
|
regexp: '^\s*#*\s*(no)?delaycompress'
|
|
insertbefore: '}'
|
|
tags:
|
|
- haproxy
|
|
- logrotate
|
|
|
|
- name: Set net.ipv4.ip_nonlocal_bind
|
|
ansible.posix.sysctl:
|
|
name: net.ipv4.ip_nonlocal_bind
|
|
value: "{{ haproxy_allow_ip_nonlocal_bind | ternary('1','0') }}"
|
|
sysctl_file: "{{ evolinux_kernel_sysctl_path | default('/etc/sysctl.d/evolinux.conf') }}"
|
|
state: present
|
|
reload: yes
|
|
tags:
|
|
- haproxy
|
|
when:
|
|
- haproxy_allow_ip_nonlocal_bind is defined
|
|
- haproxy_allow_ip_nonlocal_bind is not none
|
|
|
|
- ansible.builtin.include: munin.yml
|